Codepens
-
This is less of a request and more of an effort to reopen discussion on an interesting idea that sort of wound up forgotten for various reasons that I won't go into here.
In the early days of planning this forum, @rob advocated for incorporating Codepens into the forum. (Archive link: http://www.votingtheory.org:3000/archive/posts?where={"topic_id"%3A734} ) He argued that it would be useful for users to be able to copy example elections that forum users came up with into codepens so that they can figure out what is going on in the example without having to do a lot of computations by hand. This seems like quite a good thing!
However, allowing users to embed codepen plugins into their posts seems like a possible security concern. Obviously it's unsafe to let people run arbitrary javascript on the site, even if the codepens require user permission before they can run. I don't know much about javascript or codepens so there may well be some obvious detail I'm missing.
What could safely be done with codepens on the site?
Score Sorted Margins[100]; STAR[90]; Score[81]; Approval[59]; IRV[18]; FPTP[0]
-
@Marylander Codepens aren't running arbitrary JS on the actual site, they are running it in an iframe that is embedded into the site and can't communicate with the JS runtime within the site.
If they allowed people to, for instance, steal your login credentials (e.g.. read your document.cookie and then post it to a random URL), Codepen would have never even considered making them run embedded in forums. I can assure you they carefully considered the security implications and architected it in a way that prevents such things..
-
So, using the
iframetechnique, the burden of learning enough about NodeBB to be able to build a plugin to allow them to be embedded in posts could be relatively light.Whoever wants to give it a try should send me their public key for SSH.
Approval-ordered Llull (letter grades) [10], Score // Llull [9], Score, STAR, Approval, other rated Condorcet [8]; equal-ranked Condorcet [4]; strictly-ranked Condorcet [3]; everything else [0].
-
@Jack-Waugh Nobody needs to build a plug in, it already exists. You just need to install it. https://www.npmjs.com/package/nodebb-plugin-codepen
-
theory@votingtheory:~/nodebb$ npm install nodebb-plugin-codepen > husky@4.2.5 install /home/theory/nodebb/node_modules/husky > node husky install husky > Setting up git hooks husky > Done > core-js@2.6.12 postinstall /home/theory/nodebb/node_modules/core-js > node -e "try{require('./postinstall')}catch(e){}" Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library! The project needs your help! Please consider supporting of core-js on Open Collective or Patreon: > https://opencollective.com/core-js > https://www.patreon.com/zloirock Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -) > nodemailer@6.4.5 postinstall /home/theory/nodebb/node_modules/smtp-server/node_modules/nodemailer > node -e "try{require('./postinstall')}catch(e){}" === Nodemailer 6.4.5 === Thank you for using Nodemailer for your email sending needs! While Nodemailer itself is mostly meant to be a SMTP client there are other related projects in the Nodemailer project as well. For example: > IMAP API ( https://imapapi.com ) is a server application to easily access IMAP accounts via REST API > NodemailerApp ( https://nodemailer.com/app/ ) is a cross platform GUI app to debug emails > husky@4.2.5 postinstall /home/theory/nodebb/node_modules/husky > opencollective-postinstall || exit 0 Thank you for using husky! If you rely on this package, please consider supporting our open collective: > https://opencollective.com/husky/donate npm WARN nodebb-plugin-emoji-android@2.0.0 requires a peer of nodebb-plugin-emoji@^2.0.0 but none is installed. You must install peer dependencies yourself. npm WARN textcomplete.contenteditable@0.1.1 requires a peer of textcomplete@^0.14.2 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.3 (node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) + nodebb-plugin-codepen@0.2.0 added 650 packages from 338 contributors and audited 1363 packages in 37.461s 77 packages are looking for funding run `npm fund` for details found 118 vulnerabilities (11 low, 20 moderate, 83 high, 4 critical) run `npm audit fix` to fix them, or `npm audit` for details -
Approval-ordered Llull (letter grades) [10], Score // Llull [9], Score, STAR, Approval, other rated Condorcet [8]; equal-ranked Condorcet [4]; strictly-ranked Condorcet [3]; everything else [0].
-
@Jack-Waugh
So it is installed? Do I just do this?https://codepen.io/karmatics/pen/eYJxXge
(apparently not.... are you sure it is running?)
-
@rob, the admin page that lists the plugins says it is activated. However, when I did the "npm install" (prior), I received several warnings. I posted those. I don't know whether any of those are keeping it from working.
Maybe I should take the latest NodeBB.
-
@rob, I told the add-on to install itself, and it says it is installed, but evidently it does not actually work. Do you have a suggestion on what I should do next?
-
I would go to the NodeBB forums. If you want me to do this, I can, but since you are the one who can respond and do what they say to do, it might be easier for you to do it.
We'd also like to have embeddable YouTube videos, which last I checked didn't work.
-
@rob, I predict that their first answer will be "update to the latest."
-
Possibly. It would be interesting to see if the plug in is actively supported.
-
@rob So you still think that the next step is to go ask.
Here is, I think, the best procedure for an upgrade. Wait until some time that is between 3am and 6am, New York time. Purchase the backup service from Linode ($2/mo.). Stop NodeBB. Trigger a backup. Await its completion. As long as the forum is going to be down anyway, this is a good opportunity to update the OS*. Upgrade NodeBB. Restart it. Do a cursory sanity check. After about a week, drop the backup service.
* It's Ubuntu. If I had it to do over again, I would use straight Debian, which is stabler and needs less-frequent updates.
-
Yes, especially if you are ready to move if they offer a suggestion.
I posted a test here:
https://community.nodebb.org/topic/16088/codepen-plugin-testI wish it auto-ran, but that's better than nothing.
-
@rob I put the query on the support forum. https://community.nodebb.org/post/85573
-
